If the only thing we need to do is add AES-GCM, then the obvious venue is
But we do need to do something soon because S/MIME is loosing deployment
support. It isn't in the new Microsoft platform mail system, it is virtually
unusable in iOS, it is absent in the Android client and it takes 30 minutes to
configure Thuinderbird. That would not worry me if OpenPGP was filling the gap
but it is not.
If we are going to get working end to end secure mail, several things have to
1) Stop the S/MIME vs OpenPGP standards battle. The GNU code and most of the
other libraries for OpenPGP support S/MIME. They have to do PKIX for SMTP
STARTLS, S/MIME is a minor extra burden.
The choice of message infrastructure should not determine the choice of the
trust infrastructure. It is not possible to solve every trust problem with
either PKIX or Web of Trust or direct trust via fingerprints.
2) We have to have up to date specifications for the end-to-end message formats
that define a consistent modern crypto suite. [CURDLE]
3) We have to work out how to make end to end mail work properly with Web Mail
4) Configuration of the clients has to be absolutely painless. Which is what I
designed the Mathematical Mesh to address. Use cryptography to solve the
problem of making computers easier to use.
I am just redoing my podcast demonstrating the Mesh, the sound on the first one
doesn't meet my standards.
If people want to look at what I have done and then do the same thing
completely differently, that is fine with me as long as they do it, deploy it
and it works as well. But given that I am using a completely modern,
fashionable set of standards (HTTP/1.1, JSON, JOSE, CURDLE) and none of this
requires a CA, I can't see it likely people would want to make that sort of
It does need review though. And deployment. The killer app for the Mesh can't
be secure email because there isn't much value to a system that reaches 0.1% of
Internet users (combined user as of OpenPGP and S/MIME). But most people would
like to have an easy, robust and really secure way to manage SSH keys, most
people would like an easy way to encrypt their data in the cloud and pretty
much everyone is fed up with having to remember passwords for 100 web sites.
All those benefits are immediate regardless of whether anyone else buys in.
The Mesh itself is an untrustworthy service, this is a completely end to end
protocol. The user is in direct and full control of all their data at all times.
Sent from Outlook Mobile
From: Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
Sent: Thursday, January 28, 2016 11:37 PM
Subject: Re: [smime] Message takeover attacks against S/MIME
To: Russ Housley <housley(_at_)vigilsec(_dot_)com>, IETF SMIME
Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
Take a look at this article: http://cryptosource.de/posts/smime_mta_en.html
Is there interest in updating the S/MIME specification to use authenticated-
It looks like a pretty contrived attack, you need to be able to truncate a
message, both at the start and end, on a 16-byte boundary to turn a signed
message into a plain, unsigned one, and still have the client accept the
result as a valid message. They found one client that does that, but that
sounds more like a buggy client than a major problem (none of the others did
In any case the fix should be pretty minimal, if anything is required at all:
If the SMIMECaps in the cert you're encrypting for indicates authEnc, use
that. My code already does that and possibly other impementations do too.
smime mailing list
smime mailing list